Entra ID

Microsoft Entra ID Security Updates: Key 2026 Changes

2 min read

Summary

Microsoft is making three important Microsoft Entra ID security changes in 2026: retiring Custom controls in favor of External MFA, enforcing Conditional Access more consistently during credential registration, and requiring explicitly registered authentication methods for SSPR. These updates matter because they close policy enforcement gaps, improve identity security, and require admins to review configurations before enforcement deadlines arrive.

Need help with Entra ID?Talk to an Expert

Introduction

Microsoft is tightening Microsoft Entra ID security in several areas that directly affect authentication, Conditional Access, and self-service password reset. For IT admins, these changes are important because they remove legacy behavior, close enforcement gaps, and require preparation ahead of hard deadlines in 2026.

What’s new in Microsoft Entra ID

1. Custom controls are being deprecated

Microsoft is retiring Custom controls and steering organizations to External MFA for third-party MFA integrations in Conditional Access.

  • Existing Custom controls will keep working during the transition period
  • Retirement date: September 30, 2026
  • End of life: May 2027
  • External MFA offers deeper integration and a more modern, standards-based approach

If your organization still relies on Custom controls, migration planning should start now.

2. Conditional Access will apply consistently during credential registration

Starting the week of July 6, 2026, Conditional Access policies targeting the Register security information action will also apply to:

  • Windows Hello for Business provisioning
  • macOS Platform Single Sign-on registration

This closes a long-standing gap where some registration experiences were not governed by the same Conditional Access rules used elsewhere. Users who do not meet policy requirements may see additional prompts during setup or registration.

3. SSPR will require registered authentication methods

Microsoft is changing self-service password reset (SSPR) so only explicitly registered authentication methods can be used.

  • Registration campaign starts: July 6, 2026
  • Enforcement begins: September 7, 2026
  • Directory-based phone numbers or email addresses that were never formally registered will no longer work for SSPR verification

This aligns password reset with stronger proof-of-possession and user-verified authentication methods.

Impact on IT administrators

These changes could affect onboarding, device setup, password reset success rates, and third-party MFA integrations. Organizations that do not prepare may see user friction, help desk volume increases, or unsupported legacy configurations as enforcement dates approach.

What admins should do now

  • Inventory any Custom controls dependencies
  • Review External MFA migration requirements
  • Test registration-related Conditional Access policies in report-only mode
  • Validate Windows Hello for Business and macOS registration scenarios
  • Audit SSPR readiness and identify users relying on unregistered directory values
  • Communicate upcoming registration prompts and deadlines to users and support teams

The main takeaway: review your Entra ID authentication and access policies now so these 2026 security changes do not disrupt users later.

Need help with Entra ID?

Our experts can help you implement and optimize your Microsoft solutions.

Talk to an Expert

Stay updated on Microsoft technologies

Read the original article by Swaroop Krishnamurthy
Entra IDConditional AccessExternal MFASSPRidentity security

Related Posts

Entra ID

Azure AD B2C Migration Tools Now Available

Microsoft has released generally available migration tools and guidance to help Azure AD B2C customers move to Microsoft Entra External ID. With Azure AD B2C no longer receiving new features, these new options give IT teams a clearer path to modernize customer identity while reducing migration risk.

Entra ID

Global Secure Access Operations Guide Now Available

Microsoft has published a new Microsoft Entra Global Secure Access operations guide on Microsoft Learn to help teams manage day 2 operations after deployment. The guide provides prescriptive monitoring, health checks, role assignments, templates, and automation guidance so IT teams can run Global Secure Access more consistently and proactively.

Entra ID

Microsoft Entra Agent ID GA Secures AI Agents

Microsoft Entra Agent ID is now generally available, giving organizations a dedicated identity and access foundation for AI agents in production. Combined with the Microsoft Agent 365 CLI and SDK, it helps IT and security teams onboard, govern, audit, and secure agent instances across Microsoft and non-Microsoft frameworks.

Entra ID

Microsoft Entra June 2026: Passkeys, Linux MFA, B2C

Microsoft Entra’s June 2026 updates bring major identity improvements across passkeys, phishing-resistant MFA for Linux desktops, and Azure AD B2C migration to External ID. The release also adds cross-tenant group sync, app deactivation, redesigned My Account pages, and new governance features that help IT teams strengthen security and simplify administration.

Entra ID

Microsoft Entra Tenant Governance Finds Shadow Tenants

Microsoft Entra Tenant Governance now helps organizations discover shadow tenants connected through B2B collaboration, multitenant apps, and shared billing signals. The new related tenants capability gives IT teams continuous visibility into hidden tenant sprawl so they can assess risk, quarantine unsanctioned tenants, and tighten identity governance.

Entra ID

macOS Platform SSO in ADE Now Generally Available

Microsoft has made Platform SSO during Automated Device Enrollment generally available for macOS. The update lets organizations register devices and enable Platform SSO automatically during setup, reducing user prompts and helping IT teams deliver a more secure, consistent onboarding experience from day one.